Re: setting files attributes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday 15 April 2004 08:26, Stephen Smalley wrote:
> On Thu, 2004-04-15 at 08:18, Gene Czarcinski wrote:
> > What make -C /etc/security/selinux/src/policy/ relabel appears to do is
> > to go through the all mounted filesystems and set the attributes
> > depending on the rules it has.  The question is, does it follow symbolic
> > links or not.  If it does not, then there should not be a problem as long
> > as all of the policy rules always use the actual (non-symbolic-link) path
> > AND make sure we do also if we do something manually.
>
> setfiles does not follow symlinks during the traversal (FTW_PHYS).  It
> also attempts to detect multiple hard links to the same file and issue
> warnings if they would yield different security contexts.
>
> > However, I can see a problem occurring if it does follow symbolic links
> > because the process likely occurs in sorted order.  Now /tmp is clears
> > (or so it says and, I hope, that means /var/tmp/ also), so I should not
> > be able to rename /usr/X11R6/bin/Xorg.  However, what if I had a symbolic
> > link from my home directory to something in /etc.  Would that get
> > mislabeled?
>
> setfiles doesn't follow symlinks during the traversal, but there is a
> legitimate concern about malicious symlinks created during the traversal
> after descent.  At present, this is mitigated by policy - setfiles is
> not allowed to follow untrustworthy symlinks.

That is a relief.  Now folks just need to understand not to do anything 
manually with a symlink in the path.

Gene


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux